[TYPO3] kb_md5fepw + forgot password -> Email Verification?

[Gebhardt Thomas]

Hi,

just trying to make a login form using the extensions
newloginbox + kb_md5fepw + sr_feuser_register .

When a user forgets her/his password and clicks on the 'forgot password'
link, a new password is generated and sent to the email address supplied in 
the form.

This feature may be misused, however. Anyone who can guess the email
address of other users can trigger a password change, which is annoying
at least.

Is there an obvious and easy way to prevent people changing the password
of other user, such as sending a verification email before the password change 
actually takes place? I did not find a corresponding config option, however.
(But I'm pretty sure that I'm not the first one who deals with that problem, 
so changes are good that a solution has already been implemented)

I noticed that the email address in the 'forgot password' form is case 
sensitive while the input box in the registration field is not. I don't know
the rationale behind this behavior. One could, however, register with an
email address like jOn.dOE at eXAmple.cOM, which is not easy to guess,
thus preventing others changing the password. But People who can
memorize such strange email addresses usually also remember
their passwords :-)

Thanks for any hint, Thomas